Running Bro

In this first exercise, we run Bro on a trace file, trying a few analyzers and examining the output. For the following, use the trace trace-1.pcap.

1. Connection summaries. We begin by examining TCP connection summaries. Run Bro with the following command line on the trace and examine its output files:

   bro -r trace-1.pcap tcp alarm weird

   1. Which output files does Bro generate with this configuration?

      Solution

      > ls *.log
      alarm.log  conn.log  debug.log  notice.log  weird.log

   2. How many connections are there in the first trace file? How many of them are longer than 3 seconds? How many connections to port 80 did the client 10.20.144.1 initiate? How many connections transfered a non-trivial amount of TCP payload? What are the top-10 services in this trace across all connections?

      Solution

      # Total connections.
      > wc -l conn.log
      2547 conn.log

      # Longer than 3 seconds.
      > cat conn.log | awk '$2+0 > 3' | wc -l
      44

      # Port 80 connections by client.
      > cat conn.log | awk '$3=="10.20.144.1" && $7=="80"' | wc -l
      44

      # Non-trivial payload.
      > cat conn.log | awk '$9+$10 > 0' | wc -l
      123

      # Top-10 services.
      > cat conn.log | awk '{print $5}' | sort | uniq -c | sort -rn | head -10
      2039 other
       411 http
        12 https
        11 ftp
         9 telnet
         9 finger
         4 ident
         4 bgp
         3 smtp
         3 portmap

   3. Create a site configuration file mysite.bro defining the networks Bro should consider as local:

      @load site

      redef local_nets += {
        10.20.11.0/24,
        10.20.12.0/24,
      };

      Now, how many connections in the trace are initiated by local hosts?

      Solution

      >cat conn.log | awk '$12=="L"'  | wc -l
      654

2. Analyzers. Try some more analyzers and examine the log files they generate:

   1. bro -r trace-1.pcap tcp alarm weird http-request http-reply

   2. bro -r trace-1.pcap tcp alarm weird scan

   3. bro -r trace-1.pcap tcp alarm weird ftp

   4. bro -r trace-1.pcap mt

3. Examining a connection more closely. The FTP analyzer reports some alarms with the trace.

   1. Determine the IP address of the offender and identify the first successful FTP connection from that source.

      Solution

      > grep FTP alarm.log
      964953661.321808 FTP_Sensitive ftp: 10.20.12.187/16810 > 10.20.1.140/ftp #3 SITE EXEC %p (no reply)
      [...]
      > cat conn.log | awk '$3 == "10.20.12.187" && $5=="ftp" && $11=="SF"' | head -1
      964953566.401660 10.859970 10.20.12.187 10.20.1.140 ftp 7403 21 tcp 51 651 SF X #1 ftp/ftp@

   2. Extract the packets of that connection from the input trace using tcpdump.

      Solution

      > tcpdump -r trace-1.pcap -w conn.pcap host 10.20.12.187 and port 7403 and host 10.20.1.140 and port 21

   3. Now run Bro with its contents.bro script on just this single connection to extract the reassembled payload of the connection. What did the server think about the password given by the client?

      Solution

      > bro -r conn.pcap contents

      > grep "230-" contents.10.20.1.140.21-10.20.12.187.7403
      230-The response 'ftp@' is not valid
      230-Next time please use your e-mail address as your password
      230-        for example: joe@10.20.12.187

.